As a protocol, PGP is surprising simple. Here is what happens if you want to use it to securely send a message to someone:
If you want to sign your message then you:
The simple key handling is where the minimalism comes from. It is why PGP can be used in so many non-email contexts.
As a contrast, consider the Signal Protocol for instant messaging. I will not attempt to describe Signal in any detail as I would get parts of it wrong. It would also make for a pointlessly long article. There is a high level description of the Signal protocol here. None of the following comments are intended to be critical, they are intended to give an idea of the level of complexity of the protocol in total:
The Signal Protocol is built on ideas from the Off the Record (OTR) protocol. Interestingly enough, OTR was intended to improve PGP by adding extra functionality. Signal adds functionality on top of the OTR functionality. So Signal could be considered the result of an attempt to improve something by making it more complex.
I believe that reliability and security are best achieved with simple systems. OpenPGP is a standard that describes such a system.
It could be bad if you just came up with it and forget it, and people think it’s bad if it only has lowercase and no numbers or punctuation. But a 5-6 word sentence could be quite secure, especially if it’s a bit weird. “Lemons make a delicious snack in my house.”
I tell all my old relatives to write their passwords down in a little notebook. As long as there isn’t someone there regularly I don’t trust, it is much better than using same password and if their physical security at their house is compromised, there are bigger concerns than a notebook of banking passwords.
We write down all the passwords to our most secure systems – but then we rip them in half and put them in 2 separate safes.
Did I say passwords? I meant encryption keys.
Most of the gangs out there use tools that don’t do a full search, so they go through the default port list
Takes 60 seconds to set up, and an additional 5s each time you use it, but can save you hours if not days of manual recovery efforts with support to regain access to a compromised account. Yet people don’t like the idea.
If you are using TOTP for your MFA, you can even put it right in the browser with a plug-in. I use this approach for work. It’s very convenient.
If you use a password manager that supports TOTP and auto type (e.g. KeePassXC) then you don’t even need to mess with it once you have it set up.
Those “sign into our app with your (Google, Microsoft, etc) account” things. As long as you trust the ID provider and the app, it’s usually secure. More so, considering it prevents password reuse, and you aren’t exposed if any of those 3rd party apps have a breach.
Yes it’s annoying to need two devices every time you want to log into your most precious accounts, but trust me, I’d rather take the extra 10 seconds to authorize a login than go through the hell of having my account breached.
The argument is that ‘you can’t change your face/finger’ but it is actually more secure than other ‘magic link’ providers.
Let me be clear, there are some providers that are still iffy on security. But there are also some that have device native authentication (you need the device to auth), they don’t store passwords or password hashes, and only has public keys.
One example of this is https://passage.id/ which is about as secure as you can get.
Yes, they had a bunch of issues at the start, but they fixed them. I would much rather work with a company that had security assessments and fixed the problems rather than a company which has never been assessed.
<Rant>
People don’t see value of putting effort in cybersecurity because they don’t see any material gains from it. The best thing they can see is nothing bad happening.
No news isn’t good enough of a good news. This is enough to mostly ignore all cybersecurity advice altogether.
This is similar to people not taking care of themselves health-wise, because the best things they can see is not getting sick.
</Rant>
Hackers commonly use social engineering attacks because they can be very effective. By using social engineering, hackers can take advantage of people’s trusting nature and willingness to help others. They can also exploit the fact that people are often not well-informed about security and privacy issues. For example, a hacker might pose as a customer service representative and ask for someone’s password. Or, they might send an email that looks like it is from a trusted source, such as a bank or government agency, and ask the recipient to click on a link or download an attachment. If the person falls for the deception, the hacker can gain access to their accounts or infect their computer with malware. That is why it is important to be aware of these types of attacks and know how to protect yourself.
Cyber attackers commonly use social engineering attacks for a number of reasons. First, hacking into a person’s or organization’s computer systems is becoming increasingly difficult as security measures become more sophisticated. Second, even if a hacker is able to gain access to a system, they are likely to be discovered and caught before they can do any significant damage. Third, social engineering attacks allow hackers to bypass security measures and obtain sensitive information without being detected. Finally, social media platforms have made it easier for cyber attackers to obtain personal information about their targets and to carry out attacks. As a result, social engineering attacks are an attractive option for many cyber attackers.
Cybersecurity is often thought of as a complex and technical field, but there are actually many simple things that everyone can do to help stay safe online. For example, one way to protect your online communications is to use PGP encryption. This type of encryption is incredibly difficult for even the most skilled hacker to break, but it’s also easy to use. Another way to improve your cybersecurity is to use very long passwords that are actually a sentence. This may seem daunting, but using a phrase as your password makes it much harder for hackers to guess. Additionally, changing the default ports for certain services can help prevent unauthorized access. And finally, unplugging the ethernet cable when you’re not using it is a great way to physically block hackers from accessing your device. By following these simple tips, you can dramatically improve your cybersecurity and protect your privacy.
source: r/cybersecurity
Getting into bug bounties can be an exciting journey! Here’s a general roadmap to get started:Continue reading on Medium »
A guide on opting out of state databases and recanting previously shared medical recordsContinue reading on Read or Die! »
Welcome to the Visual Exploration of Secure Service Edge (SSE)Continue reading on Medium »
Welcome to the Visual Exploration of Secure Service Edge (SSE)Continue reading on Medium »
Follow these essential tips to securely manage your crypto assets with Sorted Wallet.Continue reading on Medium »
Explore 2024 trends in AI, IoT, blockchain for top-notch cyber defense.Continue reading on Medium »
Networking seriesContinue reading on Medium »
Continue reading on Medium »
Metasploitable 2 is a test environment that provides a secure place to perform penetration testing and security research. For your test…Continue reading on Medium »
Simplifying ETH StakingContinue reading on Medium »
👉 What’s trending in cybersecurity today?Continue reading on Medium »
What is Ransomware?Continue reading on Medium »
InfoSecSherpa: Your Guide Up a Mountain of Information!Continue reading on Medium »
TERMO DE ADEQUAÇÃO Á LGPDContinue reading on Medium »
Learn the 10 vital steps to secure your smart contracts. Protect your assets in the cryptocurrency ecosystem with experts at Coincheers.Continue reading on Medium »
Identity theft attempts in Peru represent 10% of transactions in companies, according to data from Sovos.Continue reading on Medium »
Unveiling the Hidden: Exploring the Positive Facets of the Deep WebContinue reading on Medium »
In this blog, we’ll walk you through a semi-detailed overview of the mod approval process. Our primary aim is to ensure the safety of our…Continue reading on Overwolf Blog »
ESG is not just a buzzword but a deciding factor impacting investment strategies representing the three pillars Environmental, Social and…Continue reading on Medium »
Here’s what you need to know about SBOMs, and how they can be a useful tool in your cybersecurity program toolkit.Continue reading on Medium »
submitted by /u/EspoJ [link] [comments]
where to learn about, how to work with extremely large data sets in cyber security for being a security analyst? submitted by /u/Normal-Work-4326 [link] [comments]
submitted by /u/mushfambro [link] [comments]
https://www.piiano.com/blog/how-to-protect-customers-secrets-in-your-saas-offering submitted by /u/Piiano_sec [link] [comments]
https://securityaffairs.com/162811/hacking/mitre-security-breach-china.html This is an update on the attack from Security Affairs, to supplement the initial one I posted at the time the attack was reported. Edit: To clarify I didn't write the article, I'm only posting it as a follow on. submitted by /u/Vengeful-Peasant1847 [link] [comments]
Are there any good, maybe free pw managers that work on windows and android? My fear is even if they store passwords in a cloud db or offline db with all kinds of master passwords, 2FA or further measures, but if some app is hacked on an Android phone (or just a malicious one) it could just "take a screenshot" or similar without knowledge and consent. Once the pw db is unlocked by an enduser to look up a password, another program could hijack somehow? Is that paranoid? Would be great to have like a small pocket vault on keychain that could display my pws when I browse it.. such thing exists? Or anything else considered "most safe/safest"? submitted by /u/malvinorotty [link] [comments]
I understand there is formal education and certificates for this. But more looking towards previous employment and work experience! What are some consistent previous roles, jobs and positions do penetration tester employers look at and think “This will be a good candidate”. submitted by /u/Unusual-Economics-62 [link] [comments]
submitted by /u/Senior-Gear4688 [link] [comments]
Hi all, The EU's proposed Cyber Resilience Act is a big deal for anyone involved in hardware and software with digital elements. T o sum it up, it aims to raise the bar on cybersecurity by setting mandatory standards for these products. Think automatic security updates, clear vulnerability reporting, and a focus on secure design throughout a product's lifecycle. This means better protection for consumers and businesses alike! But what are your thoughts? Is the CRA a step in the right direction? Are there any potential downsides? I'm also happy to dive deeper into how companies can get a head start on compliance. The CRA isn't here yet, but there are plenty of proactive changes you can make to future-proof your products. Looking forward for your reactions. PS: comply will be mandatory to maintain and/or start exporting to the EU! submitted by /u/i46_sro [link] [comments]
While evaluating AWS WAF I noticed that by default AWS WAF can only inspect first 8k bytes of the payload. Wondering if this AWS WAF limitation is a serious concern. Even if a WAF could inspect the entire payload I would assume it would add significant latency. Have there been any serious exploits that can be embedded deep in the payload ? submitted by /u/vmsanaaa6 [link] [comments]
submitted by /u/neverbeenbad007 [link] [comments]
Anyone ever had to work on this vulnerability? A vendor is requesting a CVE and I don't have a specific one to give him. 4.0 is EOL and my employees are running 4.0 though all endpoints (version 1.24). It seems that it is reccomended to update to a more current and supported versions of MSXML which looks to be 6.0+ What kind of CVE can I send to the vendor because there isn't anything pertaining to just 4.0.. I'm so stressed and confused at this point, I'm not sure what to do. Microsoft XML Parser (MSXML) and XML Core Services Unsupported | Tenable® submitted by /u/xyzal1 [link] [comments]
How many meetings do you usually have in a day? How many times do meet with your manager/CISO? As you can tell, story of life!! submitted by /u/littleknucks [link] [comments]
I’ve seen a fair few comments on here (though I don’t check in regularly), about how pen testing is not for a newbie. Why is that? I’m a mid 30s looking for a change. If you go in at the bottom, complete junior, can it work? (UK) submitted by /u/KisstheCat90 [link] [comments]
submitted by /u/KI_official [link] [comments]
I just started going back to college to get an associates degree in Cyber Security while working IT and planned on transfering to get a Bachelor's afterward. Now I am feeling discouraged after seeing posts of people struggling to get hired despite having a degree and experience and the recent press release from the National Cyber Director. Is there any hope for anyone just starting? submitted by /u/asterlives [link] [comments]
I'm considering switching to information security after being in my current software dev role for about 3-4 years now. My schooling is in computer science with a concentration in cyber security, and I'd like to finally be able to use what I learned in college. My question is, with all the targeted attacks and data gathering going on right now, how visible do you set your LinkedIn profile without giving too much away? Currently I have my profile picture set only to 3 connections away, but do I need to make it public? What about the About and Experience sections? I'm hoping to have both recruiters (which I have Open to Work set for those not in my company) and people from other roles notice me more easily. submitted by /u/sonofagenius [link] [comments]
submitted by /u/NerdlinGeeksly [link] [comments]
submitted by /u/CYRISMA_Buddy [link] [comments]
Hi, I'm hoping to familiarize myself with SIEM platforms by setting up a system on my home network. Can someone recommend an open source or trial based installation that I can fiddle around with? Preferably something commonly used in the real world. submitted by /u/Leather-Chef-6550 [link] [comments]
submitted by /u/ixiSlowbro [link] [comments]
I just landed a great paying job as a Senior Security Endpoint Analyst (L3). To my surprise 80% of the alerts are customer petitions. For example: "FW is dropping connections", "I want to install x program", etc. Almost no alert comes from EDR. I left a challenging job for this and I feel kind of bad... Are ther any other SOC Analyst that feel like this? submitted by /u/Sarciteu [link] [comments]
I have always heard “automate everything” there are very few things I have been able to automate, with MS security products, things are even harder to automate. So what have you boys/girls automated and what do you wish we can automate? submitted by /u/ThePorko [link] [comments]
submitted by /u/NISMO1968 [link] [comments]
Post your screenshots of your biggest whoppers desperate MSSPs and 10 ply CISO influencers trying to get your business. submitted by /u/inteller [link] [comments]
This is the weekly thread for career and education questions and advice. There are no stupid questions; so, what do you want to know about certs/degrees, job requirements, and any other general cybersecurity career questions? Ask away! Interested in what other people are asking, or think your question has been asked before? Have a look through prior weeks of content - though we're working on making this more easily searchable for the future. submitted by /u/AutoModerator [link] [comments]
Offering employees, coworkers, teammates, and students constructive feedback is a vital part of growth on…
Millennials should avoid delaying the inevitable and look into various retirement investment pathways. Here’s why…
For most people, a satisfactory career is essential for leading a happy life. However, ensuring…
The pipeline industry is more than pipework and construction, and we explore those details in…
SQL Interview Questions and Answers In the world of data-driven decision-making, SQL (Structured Query Language)…